feat(misconf): Use updated terminology for misconfiguration checks

[simar7]

Description

This PR updates the references in the code (and the UX) to use the updated terminology of a "check".

Related issues

• Close chore(misconf): Simplify nomenclature for misconfig checks #5609

Related PRs

• chore(checks): Rename repo to trivy-checks trivy-checks#109

Checklist

• I've read the guidelines for contributing to this repository.
• I've followed the conventions in the PR title.
• I've added tests that prove my fix is effective or that my feature works.
• I've updated the documentation with the relevant information (if needed).
• I've added usage information (if the PR introduces new options)
• I've included a "before" and "after" example to the description (if the PR is a user interface change).

[simar7]

We probably have to update these flags as well: https://github.com/aquasecurity/trivy/blob/main/pkg/flag/rego_flags.go#L10-L44

[nikpivkin]

@simar7 I opened PR in testodcker.

@knqyf263 Can you take a look?

[simar7]

Note: tests are failing as this will fix them.

[DmitriyLewen]

Hello @simar7
left some comments.

Also take a look linter error, please.

[DmitriyLewen]

Left some small comments

[DmitriyLewen]

Hmm... what version of Go are you using on your local PC?
Why was this removed?

[simar7]

I'm not sure to be honest. Maybe it's redundant to specify toolchain when the go version is the same? https://go.dev/ref/mod#go-mod-file-toolchain

I run the following:

$ go version
go version go1.22.0 darwin/arm64

If you get rid of the patch version from the go directive within go.mod, I get this error:

$ go mod tidy
go: downloading go1.22 (darwin/arm64)
go: download go1.22 for darwin/arm64: toolchain not available

Running go mod tidy on the version in main automatically removes the toolchain directive and replaces it with this change.

[DmitriyLewen]

hm... this is strange...
my Go doesn't remove toolchain 😄 :

➜  trivy git:(main) git status
On branch main
Your branch is up to date with 'origin/main'.

nothing to commit, working tree clean
➜  trivy git:(main) go mod tidy
➜  trivy git:(main) go version
go version go1.22.2 darwin/arm64

[simar7]

Hmm I'm taking a look again to see what's going on. I will upgrade to Go 1.22.2 as you and try again.

[simar7]

@DmitriyLewen I don't have a good answer but after updating to go 1.22.2, go removed the toolchain directive for me but added a patch version to the go version https://github.com/aquasecurity/trivy/pull/6476/files#diff-33ef32bf6c23acb95f5902d7097b7a1d5128ca061167ec0716715b0b9eeaa5f6R3

I personally think since our go version and toolchain are same, this behavior is normal and expected as specifying the same version for the toolchain and go version are redundant. But I'm not sure why I'm not able to replicate the behavior you see on your end.

Could you try the following?

1. Restore the go version from the main branch into my branch
2. Try running go mod tidy

[knqyf263]

Go also applies MVS to the Go version. Since trivy-checks uses go 1.22.0 now, Go chooses 1.22.0 rather than 1.22.
https://github.com/aquasecurity/trivy-checks/blob/55f3883e2b99a9a48a31c9db17270ab0af5b38f0/go.mod#L3

I'd suggest removing the patch version in trivy-checks. Otherwise, we need to bump the patch version every time (1.22.0 => 1.22.1 => 1.22.2...).

diff --git a/go.mod b/go.mod
index 2cf4c04..6352ca5 100644
--- a/go.mod
+++ b/go.mod
@@ -1,6 +1,6 @@
 module github.com/aquasecurity/trivy-checks

-go 1.22.0
+go 1.22

 require (
        github.com/aquasecurity/trivy v0.50.2

[simar7]

Thanks @knqyf263 for that info. I had a hunch it could be that but didn't get to it. Good to know about MVS!

I've updated trivy-checks repo and also used it within Trivy here

[knqyf263]

I've just reviewed go.mod and pkg/flag

[simar7]

I'd like @nikpivkin to review once again when he's back.

[nikpivkin]

LGTM